Background information

On 25 May 2018, the General Data Protection Regulation (“GDPR”) will become fully effective for all 28 Member States.

Whilst preparing for Brexit, on 14 September 2017 the UK government announced the publication of the Data Protection Bill (“Bill”) that replaces the current Data Protection Act 1998.

The Bill aims to provide a legal framework “essentially equivalent” to the GDPR so that, following Brexit, the UK will likely offer an adequate level of data protection and therefore be able to receive an adequacy decision by the EU Commission.

Despite its similarity, the UK introduces some conditions and exceptions that modify or supplement the GDPR.

Main issues

The Bill implements many of core concepts of the GDPR but at the same time the UK government has made a number of agreed modifications to make the Bill working for the benefit of the country.

Among the most interesting modifications there are:

  • Sections from 2 to 4 of the Bill that detail exemptions from certain rules of the GDPR for specific circumstances (e.g., processing for crime and taxation purposes, the performance of functions of regulatory bodies or research, historical or statistical purposes, etc.);
  • Section 8 of the Bill which allows children from the age 13 to consent to their personal data being processed without parental consent (13 years is the lowest age of consent permitted by the GDPR);
  • Section 162 that outlines a brand new criminal offence that applies if an organisation knowingly or recklessly re-identifies information that is “de-identified” personal data, without the consent of the data controller responsible for de-identifying the data. According to the explanatory notes, such provision aims specifically at avoiding the re-indentification of anonymized special categories of persona data (e.g., data relating to health) but it might be extended to other fields such as the re-identification of data collected thorough analytics.

Finally, in order to ensure effective compliance with the legislation, the Bill provides additional powers for the Information Commissioner’s Office (“ICO”), who will continue to regulate and enforce data protection law. The Bill allows the ICO to levy higher administrative fines on data controllers and data processors for the most serious data breaches, up to £17m (€20m) or 4% of global turnover.

Practical actions/implications

The ability to transfer data across international borders is crucial to a well-functioning economy.

The discussion of the Bill in the House of Lords just represents the first step of the UK data protection reform, thus there may be still room for changes. The aim of the Bill is to ensure that data flows continue between the UK and the EU after the Brexit, e.g., seeking the European Commission adequacy decision. The effect of such a decision is that personal data can flow from the EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to a third country (like the UK after the Brexit) without any further safeguard being necessary.

Given the similarity of the Bill with the GDPR businesses can surely continue with their GDPR-based compliance process.

We will continue to monitor the further development of the legislative process, which are also available here.